This document describes the relationship between the three tenants of identity assertion in the Solid ecosystem.
A WebID is an IRI over which one asserts control and denotes:
- An agent as per the WebID specification terminology
- An End-User as per OpenID Connect terminology
- A Resource Owner in terms of OAuth2.0 roles
An Identity Provider provides an identity assertion service and denotes:
- An Identity Provider (IdP) as per the Solid OIDC specification terminology
- An OpenID Provider (OP) as per OpenID Connect terminology
- An Authorization Server (AS) in terms of OAuth2.0 roles
A Solid Data Pod (Pod) will grant and deny access to resources denoted by IRIs, which potentially include WebIDs.
Granting and denying access to resources will often be based on a form of identity assertion.
Creating a Pod requires:
- A WebID
- An Identity Provider
I need to mint one. I can either buy a domain name and manually create it or find a service provider that mints WebIDs.
I need to signup to an IdP using my WebID. I will need to add the IdP as a trusted Identity Provider by editing my WebID.
If you don't want to bother with the manual steps, here is how a signup for a Pod protocol might work:
- Go to
https://pod.example.com
- Click create new Pod
- In the user ID field, instead of using an existing WebID such as
https://alice.example.com/#me
, choose a name that will allow pod.com to mint a WebID for you, for examplealice
- Choose an Identity Provider from the dropdown of
https://pod.example.com
trusted IdPs or enter the URI of one, for examplehttps://idp.example.com
- Click on register
pod.example.com
mints a WebID for you with the Identity Providerhttps://idp.example.com
as trustedoidcIssuer
and a randomly generated OIDC registration token- You get redirected to
https://idp.example.com
to register with the issuer, with your WebID and OIDC registration token as prefilled parameters - Fill the registration form which may include email for recovery...
- Register/login with your IdP which will check the WebID minted for you by your Pod provider for the trusted issuer and registration token
- Once logged in, you get redirected to your pod provider which can finish provisioning your pod and grant you access to it since you're logged in
Note: Both the WebID provider and IdP can require extra account recovery signup parameters such as an email or a second WebID or grant you recovery codes...
If the Pod provider is not your WebID provider, they should not provide extra account recovery signup parameters, however, a Pod could be co-owned by multiple WebIDs.
- Go to
pod.example.com
- Click register for a Pod
- Enter your WebID and your IdP
- Get redirected to your IdP and login
- Get redirected back to your Pod Provider that will assert your ownership of the WebID and provision a Pod for you